NDIS Case Management System Provider Hacked – Security

A security breach of a cloud-based customer management system used by National Disability Insurance Scheme (NDIS) service providers has exposed a ‘large volume’ of health data and other sensitive data.

CTARS, a Sydney-based software and analytics provider for the disability and care sectors, revealed this week that an unauthorized third party gained access to its systems on May 15.

Less than a week later, on May 21, the company realized that “a sample of this data had been released on a [dark] web form” after the third party claimed it had “taken a large volume of data”.

“While we cannot confirm details of all data in the time available, to be very cautious, we are treating any information held in our database as compromised,” CTARS said in a notice on its website. .

“This data includes records containing personal information relating to our customers and their customers and caregivers.”

NDIS participants who depend on a disability care provider that uses CTARS for record keeping were warned that “personal, health, and other sensitive information” was stored in its systems.

The data breach information page suggests that sensitive health data “could include details of diagnoses, treatment or recovery from a medical condition or disability”.

Other data to be compromised includes health insurance and pensioner cards, as well as tax file numbers.

CTARS said if the “very large volume” of data in its systems made it difficult to confirm the extent of the compromise, affected individuals would be contacted by their NDIS provider.

“If you have not been informed that your NDIS or OOHC [out of home care] provider is using CTARS and is part of the data breach, you have nothing to worry about,” he said.

A spokesperson for the National Disability Insurance Agency (NDIA) said iTnews that he had been in contact with CTARS since becoming aware of the breach.

CTARS also reported the incident to the Australian Information Commissioner’s Office and the Australian Center for Cyber ​​Security.

“CTARS provides a cloud-based client management system for the disability and care sectors, which the agency understands some NDIS vendors use as part of their operations,” the NDIS spokesperson said.

“Business decisions, including software use and data storage, are the business of individual organizations.”

New South Wales-based disability support service provider Caringa is the only NDIS service provider listed as a customer on the CTARS website, along with aged care providers Catholic Care Diocese of Broken Bay and Stepping Stone House.

The NDIA spokesperson also sought to emphasize that the incident was “not a breach of NDIA systems.”

“NDIS participants can be assured that the NDIA takes the protection of participant data and information security very seriously,” the spokesperson added.

CTARS has engaged the IDCare Cyber ​​Identity and Assistance Service to help NDIS participants and providers, as well as OOHC participants and caregivers, navigate the data breach.

The company also requested the assistance of external cybersecurity and forensic specialists to “help contain the event, implement additional security measures and investigate the breach.”

“We take the privacy and protection of your personal information very seriously and sincerely regret any impact this incident may have on you,” CTARS added.

Comments are closed.